LDAP Kerberos authentification
Hello, I'm playing with Kerberos authentification on my box and there are some problems that I need assistance for. For the first time I saw a lack of documentation on OpenBSD (Weel, may be it's time to contribute :-)) regarding authentification. The FAQ doesn't help much on Kerberos. It just says to read # info heimdal. Well, I did it and I was a little disapointed. The info is great to setup a Kerberos server but being new to Kerberos, I'd have liked infos on setting up a client. After some hours googling/learning, I finally managed to get the Kerberos Server running and configured OpenBSD Client as follow : # cat /etc/kerberosV/krb5.conf [libdefaults] default_realm = CLAER.HAMMOCK.FR [realms] CLAER.HAMMOCK.FR = { kdc = diogene.claer.hammock.fr admin_server = diogene.claer.hammock.fr master_kdc = diogene.claer.hammock.fr default_domain = claer.hammock.fr } [domain_realm] .claer.hammock.fr = CLAER.HAMMOCK.FR claer.hammock.fr = CLAER.HAMMOCK.FR # ls -l /etc/kerberosV/krb5.keytab -rw--- 1 root wheel 358 May 15 15:45 /etc/kerberosV/krb5.keytab From there, I can obtain a kerberos ticket on the system : # kinit claer cl...@claer.hammock.fr's Password: # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: cl...@claer.hammock.fr Issued Expires Principal May 19 10:06:28 May 19 20:05:51 krbtgt/claer.hammock...@claer.hammock.fr Strange thing is I saw this in the server logfile : May 19 10:06:34 diogene krb5kdc[18818](info): TGS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: UNKNOWN_SERVER: authtime 0, cl...@claer.hammock.fr for krbtgt/ualberta...@claer.hammock.fr, Server not found in Kerberos database May 19 10:06:37 diogene krb5kdc[18818](info): TGS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: UNKNOWN_SERVER: authtime 0, cl...@claer.hammock.fr for krbtgt/ualberta...@claer.hammock.fr, Server not found in Kerberos database It seems that the client is trying to get a ticket for the afs client. AFS is not enabled on my BSD box and I don't need it. The only reference I found on UALBERTA.CA is /etc/afs/ThisCell. Is there a way to disable this behavior? Regards, Claer
Re: LDAP Kerberos authentification
On Wed, 19 May 2010, Claer wrote: It seems that the client is trying to get a ticket for the afs client. AFS is not enabled on my BSD box and I don't need it. The only reference I found on UALBERTA.CA is /etc/afs/ThisCell. Is there a way to disable this behavior? Yes. [appdefaults] kinit = { afslog = no } -- Antoine
Re: LDAP Kerberos authentification
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote: On Wed, 19 May 2010, Claer wrote: It seems that the client is trying to get a ticket for the afs client. AFS is not enabled on my BSD box and I don't need it. The only reference I found on UALBERTA.CA is /etc/afs/ThisCell. Is there a way to disable this behavior? Yes. [appdefaults] kinit = { afslog = no } Perfect :) Now I can move forward and play with ypldap. Thanks. Claer
Re: LDAP Kerberos authentification
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote: On Wed, 19 May 2010, Claer wrote: It seems that the client is trying to get a ticket for the afs client. AFS is not enabled on my BSD box and I don't need it. The only reference I found on UALBERTA.CA is /etc/afs/ThisCell. Is there a way to disable this behavior? Yes. [appdefaults] kinit = { afslog = no } Continuing to play with Kerberos, I'm adding ypldap into play. This time, I'd like to use ldap to add entries to getent passwd and Kerberos for authentification (I'd like to avoid the login_ldap step is possible). As my kerberos setup is now ok, I declared the LDAP server on /etc/ypldap.conf, started portmap ypldap ypbind, added the +: entries to passwd and group. Now, I have a working ypbind system. To confirm this, I renamed my local account as _claer using vipw and verified the output of getent passwd : # getent passwd | grep claer _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh claer:*:1000:1000:Claer:/home/claer:/bin/ksh Now the next step is to try an authentification with ssh. That's why /etc/login.conf has been modified regarding auth entry : auth-defaults:auth=krb5-or-pwd,passwd: But, when I try to ssh in with -l claer, sshd doesn't seem to find the claer passwd entry and I have this line on the kerberos server : May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database Any hint ? Regards, Claer
Re: LDAP Kerberos authentification
On Wed, 19 May 2010, Claer wrote: _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh claer:*:1000:1000:Claer:/home/claer:/bin/ksh Now the next step is to try an authentification with ssh. That's why /etc/login.conf has been modified regarding auth entry : auth-defaults:auth=krb5-or-pwd,passwd: But, when I try to ssh in with -l claer, sshd doesn't seem to find the claer passwd entry and I have this line on the kerberos server : May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database Any hint ? Did you add your host principal to /etc/kerberosV/krb5.keytab? -- Antoine
Re: LDAP Kerberos authentification
On Wed, May 19 2010 at 01:18, Antoine Jacoutot wrote: On Wed, 19 May 2010, Claer wrote: _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh claer:*:1000:1000:Claer:/home/claer:/bin/ksh Now the next step is to try an authentification with ssh. That's why /etc/login.conf has been modified regarding auth entry : auth-defaults:auth=krb5-or-pwd,passwd: But, when I try to ssh in with -l claer, sshd doesn't seem to find the claer passwd entry and I have this line on the kerberos server : May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database Any hint ? Did you add your host principal to /etc/kerberosV/krb5.keytab? Yep. If the claer local account is enabled, it's working fine with Kerberos auth. I can confirm this by watching log files and I even tried to alter the hashed passwd with vipw to be sure I was not using the local password. ypldap + ypbind are working fine : # tail -n 2 /etc/passwd _claer:*:1000:1000:Claer:/home/claer:/bin/ksh +:*:0:0:::/bin/ksh # getent passwd | tail -n 4 _claer:$2a$06$SgIzOv47AbodJPX7jzgAoOioV322Dk5Cha9VCyqgU/b6/YUDU4TM6:1000:1000:Claer:/home/claer:/bin/ksh claer:*:1000:1000:Claer:/home/claer:/bin/ksh megami:*:1001:1001:Megami:/home/megami:/bin/ksh nobody:*:65534:65534:nobody:/nonexistent:/bin/ksh I started a test ssh server on port to check. Here are the interesting debug logs : debug1: userauth-request for user claer service ssh-connection method none debug1: attempt 0 failures 0 debug1: unable to get login class: claer input_userauth_request: invalid user claer Failed none for invalid user claer from 172.16.1.100 port 52325 ssh2 debug1: userauth-request for user claer service ssh-connection method publickey debug1: attempt 1 failures 0 debug1: userauth-request for user claer service ssh-connection method keyboard-interactive debug1: attempt 2 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=claer devs= debug1: kbdint_alloc: devices 'bsdauth' debug1: auth2_challenge_start: trying authentication method 'bsdauth' debug1: userauth-request for user claer service ssh-connection method password debug1: attempt 3 failures 2 debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0) debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0) debug1: restore_uid: 0/0 debug1: Kerberos password authentication failed: Client not found in Kerberos database debug1: krb5_cleanup_proc called Failed password for invalid user claer from 172.16.1.100 port 52325 ssh2 The logextact from authlog : May 19 20:44:24 socrate krb5-or-pwd: verify: Client not found in Kerberos database However, on the kerberos server side, no request have been made to the claer account : May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database Thanks for helping me so far! Claer
Re: LDAP Kerberos authentification
Am 19.05.2010 20:52, schrieb Claer: However, on the kerberos server side, no request have been made to the claer account : May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database Thanks for helping me so far! Claer Hi Claer, I'm not sure if this may help, but I asked myself if the client/user you are connecting from is using kerberos. HTH. enni | telsh -- Es ist sinnlos zu sagen: Wir tun unser Bestes. Es muC dir gelingen, das zu tun, was erforderlich ist. -- Winston Churchill
Re: LDAP Kerberos authentification
On Wed, May 19 2010 at 14:21, Enrico Scichilone wrote: Am 19.05.2010 20:52, schrieb Claer: However, on the kerberos server side, no request have been made to the claer account : May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database Thanks for helping me so far! Claer Hi Claer, I'm not sure if this may help, but I asked myself if the client/user you are connecting from is using kerberos. There shouldn't be any difference. In this case, Kerberos is used to verify the authentication of the user from the ssh server point of view not to verify if the user has already a krb ticket and login him automatically. However I did the test and it didn't change anything (as expected :) ) Claer